<!DOCTYPE html>
<html lang="zh-Hans">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.3/css/all.min.css" integrity="sha256-2H3fkXt6FEmrReK448mDVGKb3WW2ZZw35gI7vqHOE4Y=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">

<script class="next-config" data-name="main" type="application/json">{&quot;hostname&quot;:&quot;www.nilstorm.com&quot;,&quot;root&quot;:&quot;&#x2F;&quot;,&quot;images&quot;:&quot;&#x2F;images&quot;,&quot;scheme&quot;:&quot;Gemini&quot;,&quot;version&quot;:&quot;8.5.0&quot;,&quot;exturl&quot;:false,&quot;sidebar&quot;:{&quot;position&quot;:&quot;left&quot;,&quot;display&quot;:&quot;post&quot;,&quot;padding&quot;:18,&quot;offset&quot;:12},&quot;copycode&quot;:false,&quot;bookmark&quot;:{&quot;enable&quot;:false,&quot;color&quot;:&quot;#222&quot;,&quot;save&quot;:&quot;auto&quot;},&quot;fancybox&quot;:false,&quot;mediumzoom&quot;:false,&quot;lazyload&quot;:false,&quot;pangu&quot;:false,&quot;comments&quot;:{&quot;style&quot;:&quot;tabs&quot;,&quot;active&quot;:null,&quot;storage&quot;:true,&quot;lazyload&quot;:false,&quot;nav&quot;:null},&quot;motion&quot;:{&quot;enable&quot;:true,&quot;async&quot;:false,&quot;transition&quot;:{&quot;post_block&quot;:&quot;fadeIn&quot;,&quot;post_header&quot;:&quot;fadeInDown&quot;,&quot;post_body&quot;:&quot;fadeInDown&quot;,&quot;coll_header&quot;:&quot;fadeInLeft&quot;,&quot;sidebar&quot;:&quot;fadeInUp&quot;}},&quot;prism&quot;:false,&quot;i18n&quot;:{&quot;placeholder&quot;:&quot;Searching...&quot;,&quot;empty&quot;:&quot;We didn&#39;t find any results for the search: ${query}&quot;,&quot;hits_time&quot;:&quot;${hits} results found in ${time} ms&quot;,&quot;hits&quot;:&quot;${hits} results found&quot;}}</script><script src="/js/config.js"></script>
<meta name="description" content="DMI_CONSTANT_DB_PASSWORDHardcoded constant database password代码中创建DB的密码时采用了写死的密码。">
<meta property="og:type" content="article">
<meta property="og:title" content="FindBugs 规则整理：Security &amp; Experimental">
<meta property="og:url" content="http://www.nilstorm.com/2017/2.7613e+22.html">
<meta property="og:site_name" content="Lam&#39;s Blog">
<meta property="og:description" content="DMI_CONSTANT_DB_PASSWORDHardcoded constant database password代码中创建DB的密码时采用了写死的密码。">
<meta property="og:locale">
<meta property="og:image" content="https://tva1.sinaimg.cn/large/007S8ZIlgy1gee6wkfo69j30e9026gm4.jpg">
<meta property="article:published_time" content="2017-03-03T02:37:06.000Z">
<meta property="article:modified_time" content="2021-06-06T08:08:18.170Z">
<meta property="article:author" content="LinBinghe">
<meta property="article:tag" content="FindBugs">
<meta property="article:tag" content="规则">
<meta property="article:tag" content="Security">
<meta property="article:tag" content="Experimental">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://tva1.sinaimg.cn/large/007S8ZIlgy1gee6wkfo69j30e9026gm4.jpg">


<link rel="canonical" href="http://www.nilstorm.com/2017/2.7613e+22.html">



<script class="next-config" data-name="page" type="application/json">{&quot;sidebar&quot;:&quot;&quot;,&quot;isHome&quot;:false,&quot;isPost&quot;:true,&quot;lang&quot;:&quot;zh-Hans&quot;,&quot;comments&quot;:true,&quot;permalink&quot;:&quot;http:&#x2F;&#x2F;www.nilstorm.com&#x2F;2017&#x2F;2.7613e+22.html&quot;,&quot;path&quot;:&quot;2017&#x2F;2.7613e+22.html&quot;,&quot;title&quot;:&quot;FindBugs 规则整理：Security &amp; Experimental&quot;}</script>

<script class="next-config" data-name="calendar" type="application/json">&quot;&quot;</script>
<title>FindBugs 规则整理：Security & Experimental | Lam's Blog</title>
  




  <noscript>
    <link rel="stylesheet" href="/css/noscript.css">
  </noscript>
<link rel="alternate" href="/atom.xml" title="Lam's Blog" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar" role="button">
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <h1 class="site-title">Lam's Blog</h1>
      <i class="logo-line"></i>
    </a>
      <p class="site-subtitle" itemprop="description">Knowledge as Action</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>







</div>
        
  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>

  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#DMI-CONSTANT-DB-PASSWORD"><span class="nav-number">1.</span> <span class="nav-text">DMI_CONSTANT_DB_PASSWORD</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#DMI-EMPTY-DB-PASSWORD"><span class="nav-number">2.</span> <span class="nav-text">DMI_EMPTY_DB_PASSWORD</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#HRS-REQUEST-PARAMETER-TO-COOKIE"><span class="nav-number">3.</span> <span class="nav-text">HRS_REQUEST_PARAMETER_TO_COOKIE</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#HRS-REQUEST-PARAMETER-TO-HTTP-HEADER"><span class="nav-number">4.</span> <span class="nav-text">HRS_REQUEST_PARAMETER_TO_HTTP_HEADER</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL-NONCONSTANT-STRING-PASSED-TO-EXECUTE"><span class="nav-number">5.</span> <span class="nav-text">SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#XSS-REQUEST-PARAMETER-TO-JSP-WRITER"><span class="nav-number">6.</span> <span class="nav-text">XSS_REQUEST_PARAMETER_TO_JSP_WRITER</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#LG-LOST-LOGGER-DUE-TO-WEAK-REFERENCE"><span class="nav-number">7.</span> <span class="nav-text">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#OBL-UNSATISFIED-OBLIGATION"><span class="nav-number">8.</span> <span class="nav-text">OBL_UNSATISFIED_OBLIGATION</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%85%B6%E4%BB%96%E6%96%87%E7%AB%A0%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89"><span class="nav-number">9.</span> <span class="nav-text">其他文章（持续更新）</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%BC%95%E7%94%A8"><span class="nav-number">10.</span> <span class="nav-text">引用</span></a></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author site-overview-item animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="LinBinghe"
      src="/images/avatar.jpg">
  <p class="site-author-name" itemprop="name">LinBinghe</p>
  <div class="site-description" itemprop="description">Knowledge as Action</div>
</div>
<div class="site-state-wrap site-overview-item animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives">
          <span class="site-state-item-count">39</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
        <span class="site-state-item-count">13</span>
        <span class="site-state-item-name">categories</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
        <span class="site-state-item-count">60</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author site-overview-item animated">
      <span class="links-of-author-item">
        <a href="https://github.com/LinBinghe" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;LinBinghe" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i></a>
      </span>
      <span class="links-of-author-item">
        <a href="https://www.zhihu.com/people/shawn_lam" title="Zhihu → https:&#x2F;&#x2F;www.zhihu.com&#x2F;people&#x2F;shawn_lam" rel="noopener" target="_blank"><i class="fab fa-zhihu fa-fw"></i></a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:linbinghe@gmail.com" title="E-Mail → mailto:linbinghe@gmail.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i></a>
      </span>
  </div>



        </div>
      </div>
    </div>
  </aside>
  <div class="sidebar-dimmer"></div>


    </header>

    
  <div class="back-to-top" role="button" aria-label="Back to top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-Hans">
    <link itemprop="mainEntityOfPage" href="http://www.nilstorm.com/2017/2.7613e+22.html">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.jpg">
      <meta itemprop="name" content="LinBinghe">
      <meta itemprop="description" content="Knowledge as Action">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Lam's Blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          FindBugs 规则整理：Security & Experimental
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">Posted on</span>

      <time title="Created: 2017-03-03 10:37:06" itemprop="dateCreated datePublished" datetime="2017-03-03T10:37:06+08:00">2017-03-03</time>
    </span>
      <span class="post-meta-item">
        <span class="post-meta-item-icon">
          <i class="far fa-calendar-check"></i>
        </span>
        <span class="post-meta-item-text">Edited on</span>
        <time title="Modified: 2021-06-06 16:08:18" itemprop="dateModified" datetime="2021-06-06T16:08:18+08:00">2021-06-06</time>
      </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-folder"></i>
      </span>
      <span class="post-meta-item-text">In</span>
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/categories/FindBugs/" itemprop="url" rel="index"><span itemprop="name">FindBugs</span></a>
        </span>
    </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <h1 id="DMI-CONSTANT-DB-PASSWORD"><a href="#DMI-CONSTANT-DB-PASSWORD" class="headerlink" title="DMI_CONSTANT_DB_PASSWORD"></a>DMI_CONSTANT_DB_PASSWORD</h1><p><em>Hardcoded constant database password</em><br>代码中创建DB的密码时采用了写死的密码。<br><span id="more"></span></p>
<h1 id="DMI-EMPTY-DB-PASSWORD"><a href="#DMI-EMPTY-DB-PASSWORD" class="headerlink" title="DMI_EMPTY_DB_PASSWORD"></a>DMI_EMPTY_DB_PASSWORD</h1><p><em>Empty database password</em><br>创建数据库连接时没有为数据库设置密码，这会使数据库失去必要的保护。</p>
<h1 id="HRS-REQUEST-PARAMETER-TO-COOKIE"><a href="#HRS-REQUEST-PARAMETER-TO-COOKIE" class="headerlink" title="HRS_REQUEST_PARAMETER_TO_COOKIE"></a>HRS_REQUEST_PARAMETER_TO_COOKIE</h1><p><em>HTTP cookie formed from untrusted input</em><br>此代码使用不受信任的HTTP参数构造一个HTTP Cookie。</p>
<h1 id="HRS-REQUEST-PARAMETER-TO-HTTP-HEADER"><a href="#HRS-REQUEST-PARAMETER-TO-HTTP-HEADER" class="headerlink" title="HRS_REQUEST_PARAMETER_TO_HTTP_HEADER"></a>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER</h1><p><em>HTTP Response splitting vulnerability</em><br>在代码中直接把一个HTTP的参数写入一个HTTP头文件中，它为HTTP的响应暴露了漏洞。</p>
<h1 id="SQL-NONCONSTANT-STRING-PASSED-TO-EXECUTE"><a href="#SQL-NONCONSTANT-STRING-PASSED-TO-EXECUTE" class="headerlink" title="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE"></a>SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE</h1><p><em>Nonconstant string passed to execute method on an SQL statement</em><br>该方法以字符串的形式来调用SQLstatement的execute方法，它似乎是动态生成SQL语句的方法。这会更容易受到SQL注入攻击。</p>
<h1 id="XSS-REQUEST-PARAMETER-TO-JSP-WRITER"><a href="#XSS-REQUEST-PARAMETER-TO-JSP-WRITER" class="headerlink" title="XSS_REQUEST_PARAMETER_TO_JSP_WRITER"></a>XSS_REQUEST_PARAMETER_TO_JSP_WRITER</h1><p><em>JSP reflected cross site scripting vulnerability</em><br>在代码中在JSP输出中直接写入一个HTTP参数，这会造成一个跨站点的脚本漏洞。</p>
<h1 id="LG-LOST-LOGGER-DUE-TO-WEAK-REFERENCE"><a href="#LG-LOST-LOGGER-DUE-TO-WEAK-REFERENCE" class="headerlink" title="LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE"></a>LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE</h1><p><em>Potential lost logger changes due to weak reference in OpenJDK</em><br>OpenJDK的引入了一种潜在的不兼容问题，特别是，java.util.logging.Logger的行为改变时。它现在使用内部弱引用，而不是强引用。–logger配置改变，它就是丢失对logger的引用，这本是一个合理的变化，但不幸的是一些代码对旧的行为有依赖关系。这意味着，当进行垃圾收集时对logger配置将会丢失。例如：<br><code>public static void initLogging() throws Exception &#123;
   Logger logger = Logger.getLogger(&quot;edu.umd.cs&quot;);
   logger.addHandler(new FileHandler()); // call to change logger configuration
   logger.setUseParentHandlers(false); // another call to change logger configuration
&#125;</code><br>该方法结束时logger的引用就丢失了，如果你刚刚结束调用initLogging方法后进行垃圾回收，logger的配置将会丢失（因为只有保持记录器弱引用）。<br><code>public static void main(String[] args) throws Exception &#123;
   initLogging(); // adds a file handler to the logger
   System.gc(); // logger configuration lost
   Logger.getLogger(&quot;edu.umd.cs&quot;).info(&quot;Some message&quot;); // this isn&#39;t logged to the file as expected
&#125;</code></p>
<h1 id="OBL-UNSATISFIED-OBLIGATION"><a href="#OBL-UNSATISFIED-OBLIGATION" class="headerlink" title="OBL_UNSATISFIED_OBLIGATION"></a>OBL_UNSATISFIED_OBLIGATION</h1><p><em>Method may fail to clean up stream or resource</em><br>这种方法可能无法清除（关闭，处置）一个流，数据库对象，或其他资源需要一个明确的清理行动。<br>一般来说，如果一个方法打开一个流或其他资源，该方法应该使用try / finally块来确保在方法返回之前流或资源已经被清除了。这种错误模式基本上和OS_OPEN_STREAM和ODR_OPEN_DATABASE_RESOURCE错误模式相同，但是是在不同在静态分析技术。我们正为这个错误模式的效用收集反馈意见。</p>
<h1 id="其他文章（持续更新）"><a href="#其他文章（持续更新）" class="headerlink" title="其他文章（持续更新）"></a>其他文章（持续更新）</h1><p><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/b8a60a5e.html">FindBugs：简介与使用</a><br><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/f6c077f9.html">FindBugs 规则整理：Bad Practice</a><br><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/eb74f6c5.html">FindBugs 规则整理：Style &amp; Dodgy</a><br><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/7a2a5923.html">FindBugs 规则整理：Internationalization</a><br><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/7dfffed7.html">FindBugs 规则整理：Malicious Code Vulnerability</a><br><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/8a8d645f.html">FindBugs 规则整理：Performance</a><br><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/baebe2db.html">FindBugs 规则整理：Multithreaded Correctness</a><br><a target="_blank" rel="noopener" href="http://linbinghe.me/2017/b2ff5786.html">FindBugs 规则整理：CORRECTNESS</a></p>
<h1 id="引用"><a href="#引用" class="headerlink" title="引用"></a>引用</h1><p><em>整合以下文章过程中发现部分存在翻译错误，已做修正，同时感谢以下文章作者</em><br><a target="_blank" rel="noopener" href="http://blog.csdn.net/jdsjlzx/article/details/21472253/">FindBugs规则整理</a></p>
<hr>
<p><strong>版权声明</strong></p>
<p><img src="https://tva1.sinaimg.cn/large/007S8ZIlgy1gee6wkfo69j30e9026gm4.jpg" alt="Creative Commons BY-NC-ND 4.0 International License"></p>
<p><a target="_blank" rel="noopener" href="http://linbinghe.me/">Lam’s Blog</a> by <a target="_blank" rel="noopener" href="http://linbinghe.me/">Binghe Lin</a> is licensed under a <a target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/">Creative Commons BY-NC-ND 4.0 International License</a>.<br>由<a target="_blank" rel="noopener" href="http://linbinghe.me/">林炳河</a>创作并维护的<a target="_blank" rel="noopener" href="http://linbinghe.me/">Lam’s Blog</a>采用<a target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/">创作共用保留署名-非商业-禁止演绎4.0国际许可证</a>。</p>
<p>本文首发于<a target="_blank" rel="noopener" href="http://linbinghe.me/">Lam’s Blog - Knowledeg as Action</a>，版权所有，侵权必究。</p>
<p>本文永久链接：<a target="_blank" rel="noopener" href="http://codinglife.me/2017/2.7613e+22.html">http://codinglife.me/2017/2.7613e+22.html</a></p>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/FindBugs/" rel="tag"># FindBugs</a>
              <a href="/tags/%E8%A7%84%E5%88%99/" rel="tag"># 规则</a>
              <a href="/tags/Security/" rel="tag"># Security</a>
              <a href="/tags/Experimental/" rel="tag"># Experimental</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/2017/baebe2db.html" rel="prev" title="FindBugs 规则整理：Multithreaded Correctness">
                  <i class="fa fa-chevron-left"></i> FindBugs 规则整理：Multithreaded Correctness
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/2017/8a8d645f.html" rel="next" title="FindBugs 规则整理：Performance">
                  FindBugs 规则整理：Performance <i class="fa fa-chevron-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>






</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


<div class="copyright">
  &copy; 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">LinBinghe</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/" rel="noopener" target="_blank">NexT.Gemini</a>
  </div>

    </div>
  </footer>

  
  <script src="https://cdn.jsdelivr.net/npm/animejs@3.2.1/lib/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous"></script>
<script src="/js/comments.js"></script><script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/next-boot.js"></script>

  






  





</body>
</html>
